-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
recommend semanage fcontext
for selinux
#1336
Conversation
Sorry for the long delay processing this @immanetize. Please update the 2.1 and 2.3 files and I'll merge this. |
chcon -R --type httpd_sys_rw_content_t <your Magento install dir>/var | ||
chcon -R --type httpd_sys_rw_content_t <your Magento install dir>/pub/media | ||
chcon -R --type httpd_sys_rw_content_t <your Magento install dir>/pub/static | ||
export mageroot="/path/to/your_magento_install_dir" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All these commands should be wrapped in code fences and separated by &&
so you can copy/paste the whole block and run it in a terminal.
>```bash
>export mageroot="/path/to/your_magento_install_dir"
>...
>```
|
||
The preceding commands work only with the Apache web server. Because of the variety of configurations and security requirements, we don't guarantee these commands work in all situations. For more information, see: | ||
The first command sets an environment variable to the root directory of your Magento installation directory, verify and substitute the correct path. The `semanage` commands set the default file context for directories that Magento needs to write to, and the `restorecon` command applies the contexts in policy to the files on disk. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The first command sets an environment variable to the root directory of your Magento installation directory, verify and substitute the correct path. The `semanage` commands set the default file context for directories that Magento needs to write to, and the `restorecon` command applies the contexts in policy to the files on disk. | |
The first command sets an environment variable to the root directory of your Magento installation directory. You must verify and substitute the correct path to your installation. The `semanage` commands set the default file context for directories that Magento needs to write to. The `restorecon` command applies the contexts in policy to the files on disk. |
The preceding commands work only with the Apache web server. Because of the variety of configurations and security requirements, we don't guarantee these commands work in all situations. For more information, see: | ||
The first command sets an environment variable to the root directory of your Magento installation directory, verify and substitute the correct path. The `semanage` commands set the default file context for directories that Magento needs to write to, and the `restorecon` command applies the contexts in policy to the files on disk. | ||
|
||
New files will then automatically inherit the context of the directory they are created in, and stay with the file when it moves. If you have a deployment method that creates files in a scratch directory then moves (ie `mv /home/frank/jar.css $mageroot/`) them into the web server's document root, you should use `restorecon` to restore the proper context to your files. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
New files will then automatically inherit the context of the directory they are created in, and stay with the file when it moves. If you have a deployment method that creates files in a scratch directory then moves (ie `mv /home/frank/jar.css $mageroot/`) them into the web server's document root, you should use `restorecon` to restore the proper context to your files. | |
New files inherit the context of the directory in which they are created and stay with the file when it moves. If you have a deployment method that creates files in a scratch directory and then moves them into the web server's document root (for example `mv /home/frank/jar.css $mageroot/`), you should use the `restorecon` command to restore the proper context to your files. |
|
||
New files will then automatically inherit the context of the directory they are created in, and stay with the file when it moves. If you have a deployment method that creates files in a scratch directory then moves (ie `mv /home/frank/jar.css $mageroot/`) them into the web server's document root, you should use `restorecon` to restore the proper context to your files. | ||
|
||
This example is known to work with Apache, and may work with other packaged web servers, but because of the variety of configurations and security requirements, we don't guarantee these commands work in all situations. For more information, see: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This example is known to work with Apache, and may work with other packaged web servers, but because of the variety of configurations and security requirements, we don't guarantee these commands work in all situations. For more information, see: | |
This example is known to work with Apache and may work with other packaged web servers, but because of the variety of configurations and security requirements, we cannot guarantee these commands work in all situations. For more information, see: |
An admin must run tests on this PR before it can be merged. |
There has been no communication for some time; we are closing this pull request. If you have further comments and feedback, please create an issue or a new pull request. Thanks for taking the time to contribute to docs improvement! |
Hi @immanetize, thank you for your contribution! |
Using
chcon
isn't ideal, better to set and apply a default policy. Files can end up with a 'wrong' label for all sorts of reasons (most commonly amv
, so I made a specific note about that) usingchcon
can be tedious. It's much more convenient post-deployment to runrestorecon -R /path
.A bunch of webservers should have appropriate policy:
... but it seems better not to go into it, so I simply changed ~"It will only work with Apache" to ~"ymmv". In practice, I'd say that a web server that wasn't shipped SELinux-friendly and appropriately confined should simply not be used in production, but this doc is not my soapbox :)
whatsnew
Replaced
chcon
commands withsemanage
andrestorecon
in the installation security section.